Privacy Policy
Effective Date: 28 February 2026 | Last Updated: 28 February 2026
Website: gemialdigital.com | Email: info@gemialdigital.com | Phone: +254 792 265 122 / +254 723 175 402
What This Policy Means For You – Plain-English Summary
We collect your name, email, phone number and message when you fill in our contact or quote forms.
We collect browsing data (pages visited, device type, location) automatically via Google Analytics and similar tools.
We use your data to respond to enquiries, deliver our services, send relevant marketing (with your consent), and improve this website.
We do not sell your personal data. We share it only with trusted service providers who help us operate this website and deliver services.
You have the right to access, correct, or delete your data at any time. Contact us at info@gemialdigital.com.
This policy is governed by the Kenya Data Protection Act 2019.
1. Introduction & Who We Are
Gemial Digital (“we”, “us”, “our”) is a performance-first digital marketing agency founded and operating from Nairobi, Kenya. We are committed to protecting the privacy of every individual who visits our website, submits an enquiry, or engages our services.
This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, who we share it with, and what rights you have under the Kenya Data Protection Act 2019 and any other applicable data protection legislation.
This Policy applies to:
- The website gemialdigital.com and all its pages, blog posts, and resources.
- Enquiry forms, quote request forms, booking forms, and contact forms on this website.
- Email and phone communications initiated through this website.
- Personal data shared with us as part of a client service engagement.
Please read this Policy carefully. By using our website or engaging our services, you acknowledge that you have read and understood this Policy.
2. Data Controller Details
Gemial Digital is the data controller for personal data collected through this website and in the context of client service engagements. As data controller, we determine the purposes and means of processing your personal data.
Business Name: Gemial Digital
Primary Office: Muthaiga, Thika Road, Nairobi, Kenya
Additional Office: Reading, United Kingdom
Email: info@gemialdigital.com
Phone: +254 792 265 122 / +254 723 175 402
Website: gemialdigital.com
For any questions or concerns regarding this Privacy Policy or the way we handle your personal data, please contact us at info@gemialdigital.com. We aim to respond to all privacy-related enquiries within five (5) business days.
3. Personal Data We Collect
3.1 Data You Provide Directly
We collect personal data that you voluntarily provide to us when you interact with this website or contact us. This includes:
| Data Type | How It Is Collected |
| Full name | Contact form, quote request form, booking form, email |
| Email address | Contact form, quote request form, booking form, email newsletter sign-up |
| Phone number | Contact form, quote request form, booking form, telephone call |
| Business name and website URL | Quote request form, client onboarding |
| Message content and enquiry details | Contact form, email correspondence |
| Billing and payment information | Invoices and payment processing (we do not store full card details) |
| Platform access credentials | Shared by clients for service delivery purposes (stored securely) |
| Marketing and campaign data | Provided by clients as part of service delivery |
3.2 Data Collected Automatically
When you visit our website, we automatically collect certain technical and behavioural data through cookies and analytics tools. This includes:
| Data Type | Purpose |
| IP address | Security, fraud prevention, and approximate location identification |
| Browser type and version | Website optimisation and compatibility |
| Operating system and device type | Mobile/desktop experience optimisation |
| Pages visited and time spent on each page | Website performance analysis and content improvement |
| Referring URL (where you came from) | Understanding traffic sources and marketing effectiveness |
| Approximate geographic location (country/city) | Analytics and audience reporting |
| Click behaviour and scroll depth | Conversion rate optimisation (CRO) and UX improvement |
| UTM parameters and campaign source tags | Marketing attribution and ROI measurement |
3.3 Data From Third-Party Sources
We may receive personal data about you from third-party sources in limited circumstances, including:
- Advertising platforms (Google Ads, Meta Ads) — anonymised or aggregated audience and campaign performance data.
- CRM integrations — where a client connects their CRM to our chatbot or analytics tools, we may process customer data on their behalf.
- Referrals — if a third party recommends us and shares your contact details, we will use those details only to respond to the referral enquiry.
- Publicly available sources — company directories or LinkedIn profiles, where we reach out for legitimate B2B marketing purposes.
4. How We Use Your Personal Data
We use the personal data we collect for the following purposes, relying on the legal bases described below:
| Purpose | Legal Basis (Kenya DPA 2019) |
| Responding to enquiries, contact form submissions, and quote requests | Legitimate interests / Pre-contractual steps |
| Delivering agreed digital marketing services to clients | Performance of a contract |
| Processing invoices and payments | Performance of a contract / Legal obligation |
| Sending service-related updates and communications | Performance of a contract |
| Sending marketing emails, newsletters, and updates (where you have opted in) | Consent |
| Analysing website traffic and improving website performance | Legitimate interests |
| Running remarketing and advertising campaigns (with appropriate consents) | Consent / Legitimate interests |
| Fraud prevention, security, and abuse detection | Legitimate interests / Legal obligation |
| Compliance with legal and regulatory obligations | Legal obligation |
| Creating anonymised case studies and portfolio references (with approval) | Legitimate interests / Consent |
Where we rely on legitimate interests as our legal basis, we have assessed that our interests are not overridden by your rights and freedoms. You may object to processing based on legitimate interests at any time — see Section 9 for details.
Where we rely on your consent as our legal basis, you may withdraw that consent at any time. Withdrawal of consent will not affect the lawfulness of any processing carried out before withdrawal.
5. Cookies & Tracking Technologies
5.1 What Are Cookies?
Cookies are small text files placed on your device when you visit a website. They allow the website to remember your actions and preferences over time, and help us understand how visitors use our site so we can improve it.
5.2 Types of Cookies We Use
| Cookie Category | Description and Purpose |
| Strictly Necessary | Essential for the website to function. These cannot be disabled. Examples: session management, security tokens, WordPress login cookies. |
| Analytics & Performance | Track how visitors interact with the website (pages visited, time on site, bounce rate). We use Google Analytics (GA4) for this purpose. Data is anonymised or pseudonymised where possible. |
| Marketing & Advertising | Used to deliver relevant ads and track campaign performance. Includes the Google Ads conversion tag, Meta Pixel, and similar advertising pixels. Placed only with your consent. |
| Functional / Preference | Remember your preferences and settings to improve your experience (e.g., language, region, form data). Set only when you interact with specific features. |
5.3 Third-Party Cookies
Some cookies on our website are set by third-party services we use, including:
- Google Analytics (GA4) — website traffic analysis and audience reporting. Google’s Privacy Policy applies: policies.google.com/privacy
- Google Ads — conversion tracking and remarketing. Google’s Privacy Policy applies.
- Meta Pixel — advertising campaign performance and custom audience creation on Meta platforms (Facebook, Instagram). Meta’s Data Policy applies.
- Rank Math SEO Plugin — site performance and SEO analytics (WordPress).
- Contact form plugins — may set functional cookies to prevent spam (e.g., reCAPTCHA).
These third-party services may transfer data to servers outside Kenya, including to the United States and European Union. We have assessed these transfers and rely on the service providers’ compliance with applicable data protection frameworks and standard contractual clauses where applicable.
5.4 Your Cookie Choices
When you first visit our website, you will be presented with a cookie consent notice that allows you to accept or decline non-essential cookies. You can change your preferences at any time by:
- Clicking the cookie settings link in our website footer.
- Adjusting your browser settings to block or delete cookies. Note that disabling certain cookies may affect website functionality.
- Using your browser’s incognito or private browsing mode, which prevents cookies from being stored after your session.
- Opting out of Google Analytics tracking at: tools.google.com/dlpage/gaoptout
Please note that strictly necessary cookies cannot be disabled as they are required for the website to function.
6. How We Share Your Personal Data
6.1 Our Principle: We Do Not Sell Your Data
Gemial Digital does not sell, rent, or trade your personal data to any third party for their own marketing purposes. We will never monetise your data in this way.
6.2 Service Providers and Data Processors
We share personal data with carefully selected third-party service providers who process data on our behalf to help us operate this website and deliver our services. These include:
| Service Provider Category | Purpose |
| Website hosting provider | Hosting and serving the gemialdigital.com website |
| Email service provider (e.g., Gmail / Google Workspace) | Sending and receiving emails, client communications |
| CRM and project management tools | Managing client relationships, project tracking, and communication |
| Google Analytics / GA4 | Website traffic analysis and performance reporting |
| Google Ads | Managing paid advertising campaigns on behalf of clients |
| Meta Business Suite | Managing social media and paid campaigns on Meta platforms |
| Payment processors (e.g., bank transfer, M-Pesa) | Processing invoices and client payments |
| Accounting and invoicing software | Financial record-keeping and invoicing |
| WordPress plugins and website tools | Operating website features, forms, SEO, and security |
| Communication tools (e.g., WhatsApp, Zoom, Google Meet) | Client communication and project meetings |
All third-party service providers are bound by contractual obligations to process data only on our instructions, maintain appropriate security standards, and not use your data for their own purposes.
6.3 Legal Disclosure
We may disclose personal data to law enforcement, regulatory authorities, or other third parties where we are legally required to do so, including in response to valid court orders, legal proceedings, or requests from the Office of the Data Protection Commissioner of Kenya.
6.4 Business Transfers
In the event of a merger, acquisition, restructuring, or sale of all or part of Gemial Digital’s business, personal data held by us may be transferred to the successor entity. We will notify affected individuals in advance of any such transfer and ensure appropriate safeguards are in place.
6.5 Professional Advisers
We may share personal data with our legal advisers, accountants, auditors, or insurers where necessary for the provision of their professional services to us. These parties are bound by professional confidentiality obligations.
7. International Data Transfers
Gemial Digital is headquartered in Nairobi, Kenya and also maintains a presence in Reading, United Kingdom. Some of the third-party tools and platforms we use — including Google, Meta, and various SaaS providers — store and process data on servers located outside Kenya, including in the United States and the European Union.
Where personal data is transferred outside Kenya, we take steps to ensure that appropriate safeguards are in place, including:
- Relying on service providers who operate under comprehensive data protection frameworks, such as the EU General Data Protection Regulation (GDPR) or comparable standards.
- Incorporating standard contractual clauses (SCCs) or other approved transfer mechanisms where required.
- Assessing that the destination country provides an adequate level of data protection, or that contractual safeguards compensate for any shortfall.
You may request further information about the safeguards in place for international data transfers by contacting us at info@gemialdigital.com.
8. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, to comply with our legal obligations, and to resolve any disputes or enforce our agreements. The following retention periods apply:
| Data Category | Retention Period |
| Enquiry and contact form data (no contract formed) | 2 years from the date of last contact |
| Client personal data and project records | 7 years from the end of the engagement (for legal and tax compliance) |
| Financial and billing records | 7 years (Kenya tax and accounting requirements) |
| Website analytics data (Google Analytics) | 14 months (default GA4 retention; anonymised aggregates held indefinitely) |
| Marketing email list (opted-in subscribers) | Until you unsubscribe or withdraw consent, plus 1 year |
| Cookie data | As specified in our cookie consent banner; session cookies expire when you close your browser |
| Client platform credentials | Duration of engagement; securely deleted within 30 days of engagement end |
When data is no longer required, it is securely deleted, anonymised, or destroyed in a manner that prevents reconstruction or recovery.
9. Your Rights Under the Kenya Data Protection Act 2019
As a data subject under the Kenya Data Protection Act 2019, you have the following rights in relation to your personal data:
Right of Access
You have the right to request confirmation of whether we hold personal data about you, and to receive a copy of that data, together with information about how it is being processed.
Right to Rectification
You have the right to request that we correct any inaccurate or incomplete personal data we hold about you. We will respond to rectification requests within a reasonable time.
Right to Erasure
You have the right to request the deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you withdraw consent (and there is no other lawful basis for processing), or where you object to processing and there are no overriding legitimate grounds. Note that we may be required to retain certain data to comply with legal obligations.
Right to Object
You have the right to object to the processing of your personal data where we rely on legitimate interests as our legal basis. You also have an unconditional right to object to processing for direct marketing purposes at any time.
Right to Restriction of Processing
You have the right to request that we restrict the processing of your personal data in certain circumstances — for example, while a dispute about its accuracy is being resolved, or where you have objected to processing and we are assessing whether our legitimate interests override your rights.
Right to Data Portability
Where we process your personal data on the basis of consent or performance of a contract, and the processing is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format and to have it transmitted to another controller where technically feasible.
Right to Withdraw Consent
Where we rely on your consent to process your personal data, you have the right to withdraw that consent at any time by contacting us at info@gemialdigital.com or by clicking the unsubscribe link in any marketing communication. Withdrawal of consent does not affect the lawfulness of any processing carried out before withdrawal.
Right to Lodge a Complaint
If you are dissatisfied with how we have handled your personal data, you have the right to lodge a complaint with the Office of the Data Protection Commissioner of Kenya (ODPC). Contact details for the ODPC can be found at odpc.go.ke.
To exercise any of your rights, please contact us at info@gemialdigital.com. We will respond to all verified data subject requests within thirty (30) days. In complex cases, we may extend this period by a further sixty (60) days, in which case we will notify you of the extension and the reasons for it. Exercising your rights is free of charge, though we may charge a reasonable fee where requests are manifestly unfounded or excessive.
10. How We Protect Your Personal Data
Gemial Digital takes the security of your personal data seriously. We implement appropriate technical and organisational security measures designed to protect your data against unauthorised access, alteration, disclosure, or destruction. These measures include:
10.1 Technical Measures
- Encryption of data in transit using TLS/HTTPS across all website communications.
- Secure, password-protected storage of credentials and client-provided access keys.
- Use of reputable, security-audited hosting and cloud infrastructure providers.
- Regular website security scans, malware monitoring, and SSL certificate management.
- Two-factor authentication (2FA) on internal tools and platforms where available.
- Firewalls, access controls, and intrusion detection on company systems.
10.2 Organisational Measures
- Access to personal data is restricted to team members who need it to perform their work.
- Team members are made aware of their obligations regarding data privacy and confidentiality.
- Subcontractors and third-party service providers are assessed for data security practices before engagement.
- We conduct periodic reviews of our data handling practices and security posture.
10.3 Data Breach Response
In the event of a personal data breach, Gemial Digital has procedures in place to identify, contain, and assess the impact of the breach. Where a breach is likely to result in a high risk to the rights and freedoms of affected individuals, we will notify them without undue delay and, where required, notify the Office of the Data Protection Commissioner of Kenya (ODPC) within 72 hours of becoming aware of the breach.
Despite our best efforts, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee the absolute security of your data, but we commit to taking all reasonably practicable steps to protect it.
11. Marketing Communications
11.1 How We Use Your Data for Marketing
If you have provided your email address when contacting us, submitting a quote request, or signing up to receive updates, we may send you marketing communications about our services, blog content, industry insights, and promotions that we think may be relevant to your business. We will only send marketing communications where we have a lawful basis to do so — either your consent or our legitimate business interests in marketing similar services to existing or prospective clients.
11.2 Opting Out
You may opt out of receiving marketing communications from Gemial Digital at any time by:
- Clicking the unsubscribe link in any marketing email we send you.
- Emailing us at info@gemialdigital.com with the subject line “Unsubscribe” or “Marketing Opt-Out”.
- Contacting us by phone at +254 723 175 402.
We will process all opt-out requests promptly and no later than ten (10) business days from receipt. Please note that opting out of marketing communications does not affect the sending of service-related communications related to active client engagements (such as project updates, invoices, and support responses).
11.3 Remarketing and Advertising
We may use your browsing behaviour on our website — collected via advertising pixels (such as the Google Ads conversion tag and Meta Pixel) — to show you relevant advertising on other websites and platforms. This is known as remarketing. These pixels are placed only with your consent through our cookie consent mechanism. You may opt out at any time by adjusting your cookie preferences, updating your ad settings in your Google or Meta account, or using an ad blocker or browser privacy extension.
12. Children’s Privacy
Our website and services are not directed at children under the age of 18. We do not knowingly collect personal data from children. If you are a parent or guardian and believe that a child under 18 has provided us with personal data without your consent, please contact us immediately at info@gemialdigital.com. We will take prompt steps to delete any such data from our records.
13. Links to Third-Party Websites
Our website contains links to third-party websites, including tool recommendations, affiliate links, and external resources. These websites operate independently of Gemial Digital and are governed by their own privacy policies. We have no responsibility for the content, practices, or privacy standards of any third-party website. We encourage you to review the privacy policy of any third-party site you visit before submitting personal data to it.
Please note that the presence of a link on our website does not constitute an endorsement of that website or its privacy practices.
14. Client Data & Data Processing
14.1 Acting as a Data Processor
When Gemial Digital provides services to business clients, we may process personal data about the client’s own customers, leads, or employees on their behalf. In these circumstances, Gemial Digital acts as a data processor and the client acts as the data controller. The client remains responsible for the lawful basis of the processing and for ensuring data subjects’ rights are respected.
14.2 Data Processing Agreements
Where we process personal data on behalf of a client as a data processor, we will enter into a data processing agreement (DPA) with that client as required by the Kenya Data Protection Act 2019. The DPA sets out the subject matter, duration, nature, and purpose of the processing, the type of data processed, and the obligations and rights of both parties.
14.3 Chatbot and CRM Data
Where Gemial Digital builds and operates AI chatbots or integrates CRM systems on behalf of clients, personal data collected through those chatbots or CRM flows (including names, email addresses, phone numbers, and conversation histories) is processed on the client’s behalf. Such data belongs to the client and will be handled in accordance with the applicable data processing agreement.
14.4 Campaign and Audience Data
Where clients provide audience data, customer lists, or other personal data for use in advertising campaigns (for example, for custom audience creation on Google or Meta), that data is processed solely for the agreed campaign purposes, is not retained beyond the end of the engagement, and is not used for any other purpose without the client’s explicit consent.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our data practices, the services we offer, or applicable legal requirements. When we make material changes, we will:
- Update the “Last Updated” date at the top of this page.
- Post the revised Policy on this page with reasonable prominence.
- Where the changes are significant, notify existing clients by email.
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data. Your continued use of this website or our services after any changes constitutes your acknowledgement of the updated Policy.
16. Governing Law & Regulatory Authority
This Privacy Policy is governed by and construed in accordance with the laws of the Republic of Kenya, including the Kenya Data Protection Act 2019 and the Kenya Information and Communications Act (Cap. 411A).
The supervisory authority responsible for overseeing data protection in Kenya is the Office of the Data Protection Commissioner (ODPC). If you have an unresolved concern about our data practices that we have not addressed to your satisfaction, you may contact the ODPC at:
Office of the Data Protection Commissioner (Kenya)
Website: odpc.go.ke
Email: info@odpc.go.ke
Address: Teleposta Towers, Kenyatta Avenue, P.O. Box 30025-00100, Nairobi, Kenya
17. Contact Us About This Policy
If you have any questions about this Privacy Policy, wish to exercise your data subject rights, or would like to request a copy of any data we hold about you, please reach out to us using the contact details below. We take all privacy enquiries seriously and aim to respond within five (5) business days.
Business Name: Gemial Digital
Privacy Contact Email: info@gemialdigital.com
Phone: +254 792 265 122 / +254 723 175 402
Contact Form: gemialdigital.com/contact/
Nairobi Address: Muthaiga, Thika Road, Nairobi, Kenya
UK Address: Reading, United Kingdom
When contacting us about your personal data, please include your full name, email address, and a clear description of your request so we can handle it efficiently and verify your identity before disclosing or amending any data.
Your privacy matters to us. Thank you for trusting Gemial Digital.
Gemial Digital — Performance-First Digital Marketing | Nairobi, Kenya
info@gemialdigital.com | +254 792 265 122 / +254 723 175 402 | gemialdigital.com
Copyright 2026 Gemial Digital. All rights reserved.
